From 9d3e76f3f332b0f7542188df06a5184d21e7d993 Mon Sep 17 00:00:00 2001
From: Jeremy Blum <jeremy@jeremyblum.com>
Date: Fri, 3 Apr 2026 10:50:38 -0700
Subject: [PATCH] netdev: use SAE PWE both for fullmac external auth

For fullmac external SAE, iwd currently forces Hunt-and-Peck and does
not include NL80211_ATTR_SAE_PWE in the connect request.

This prevents successful association with H2E-capable APs on at least
some fullmac drivers, since userspace is effectively constraining SAE
to Hunt-and-Peck while not advertising the intended SAE PWE policy to
nl80211.

For fullmac SAE connections without PMKSA reuse, request
NL80211_SAE_PWE_BOTH and stop forcing Hunt-and-Peck on the SAE state
machine. This keeps the fullmac external-auth path aligned with the
actual SAE policy instead of hard-wiring HnP.

Tested on a CYW43455/brcmfmac fullmac device using firmware 7.45.286,
where this change fixes WPA3 association and traffic on H2E-capable APs.

Signed-off-by: Jeremy Blum <jeremy@jeremyblum.com>
---
 src/netdev.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/netdev.c b/src/netdev.c
index e639a1f8..94520b5c 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -2600,6 +2600,11 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
 	uint32_t auth_type = IE_AKM_IS_SAE(hs->akm_suite) && !hs->have_pmksa ?
 					NL80211_AUTHTYPE_SAE :
 					NL80211_AUTHTYPE_OPEN_SYSTEM;
+	uint8_t sae_pwe = nhs->type == CONNECTION_TYPE_FULLMAC &&
+				IE_AKM_IS_SAE(hs->akm_suite) &&
+				!hs->have_pmksa ?
+				NL80211_SAE_PWE_BOTH :
+				NL80211_SAE_PWE_UNSPECIFIED;
 	enum mpdu_management_subtype subtype = prev_bssid ?
 				MPDU_MANAGEMENT_SUBTYPE_REASSOCIATION_REQUEST :
 				MPDU_MANAGEMENT_SUBTYPE_ASSOCIATION_REQUEST;
@@ -2618,6 +2623,8 @@ static struct l_genl_msg *netdev_build_cmd_connect(struct netdev *netdev,
 	l_genl_msg_append_attr(msg, NL80211_ATTR_MAC, ETH_ALEN, hs->aa);
 	l_genl_msg_append_attr(msg, NL80211_ATTR_SSID, hs->ssid_len, hs->ssid);
 	l_genl_msg_append_attr(msg, NL80211_ATTR_AUTH_TYPE, 4, &auth_type);
+	if (sae_pwe != NL80211_SAE_PWE_UNSPECIFIED)
+		l_genl_msg_append_attr(msg, NL80211_ATTR_SAE_PWE, 1, &sae_pwe);
 
 	switch (nhs->type) {
 	case CONNECTION_TYPE_SOFTMAC:
@@ -4218,7 +4225,6 @@ static void netdev_connect_common(struct netdev *netdev,
 					netdev_external_auth_sae_tx_associate,
 					netdev);
 		sae_sm_force_default_group(netdev->ap);
-		sae_sm_force_hunt_and_peck(netdev->ap);
 	}
 
 	if (sae_sm_is_h2e(netdev->ap)) {